Converged voice and data systems are now a reality. They are bringing a myriad of benefits to customers - ranging from efficient use of bandwidth to enhanced scalability, cost reductions and improved productivity.

Companies can now operate a wide range of applications over a single network platform including unified messaging, video conferencing, and flexible remote access. They can also achieve significant economies of scale by using just one management system to control the whole voice and data infrastructure.

Also, processing voice and data over a single infrastructure can allow substantial hardware savings to be made and eliminate the need for separate maintenance contracts. In addition, cabling at the user site can be reduced by the provision of a single point, supporting both data and voice.

However, for all its benefits, the advent of convergence has created some serious challenges for the industry. One of the most significant is the way in which the threat to systems security and in particular to the integrity of voice communications has changed.

Before the advent of convergence, voice traffic was relatively secure in the protective proprietary operating environment of the customer's PABX. Now, however, it is typically just another generic server type platform within a company's data system and, as such, subject to the same risks that affect the data environment as a whole including worms, viruses and password attacks.

One potentially vulnerable area is the voice-signalling server, used to set up and administer calls. If an attacker breaks into this system, he gains access to records of incoming and outgoing calls and information about their timings.

With an old-fashioned TDM PBX switch an intruder would typically have to have physical access to the phone line itself in order to attach a bugging device and eavesdrop on calls. Now, just by penetrating the VoIP gateway, he may place the voice conversation itself under threat not just from straightforward listening in, recording and replaying but even in some cases call redirection.

Perhaps even more alarmingly the availability of the IP network itself could be at risk, threatening the ability of an organisation to communicate via either voice or data.

For all these reasons, voice security is of critical importance. And while voice connectivity is often taken for granted by companies, when voice service fails even for a short time, it can have disastrous consequences. So what techniques can be used to protect voice traffic?

Overcoming the Obstacles
The challenge has several key elements. One of the key considerations is the need to secure voice traffic when in transit. Effective encryption is vital in this context to ensure that as the voice data passes through the network infrastructure, it is sufficiently protected to prevent attackers from accessing and reading it.

The second major threat is intrusion - people infiltrating either the network itself or systems or applications running on the network and corrupting or reconfiguring them. The normal approach here is to use a system of passwords to control user access. New forms of 'fingerprinting' security systems are under development. These will be used to track the activities of anyone breaking into the network and to identify and eliminate any viruses they leave behind.

However, because Voice over IP (VoIP) remains a relatively new development, critical security vulnerabilities are being identified all the time, leaving systems at risk from a broad range of potential attacks, leading to possible 'denial of service'.

In spite of these continued threats, there is still some naivety about the sensitivity of the marketplace to voice performance and voice resilience. But the industry is now starting to appreciate the true significance of robust voice solutions and the need to build this type of security functionality into applications. To underline this trend, many of the former data solutions giants are beginning to promote their voice capability and making use of it as a differentiating feature.

And many of the end users to whom they are selling do not have the budget or the in-house resources to manage or even fully understand all the security implications of the growing development of VoIP solutions.

Consequently, there is set to be significant market growth in solutions from the major providers that are designed to protect IP telephony platforms. Equally, the value of IP telephony security is likely to receive greater recognition and more robust voice security built into the fully converged solutions currently being developed for customers.

If end users are to have full confidence in migrating to VoIP solutions, it is essential that the major providers play a key role in this process.

To understand the nature of this role, you first need to appreciate that VoIP security cannot be seen in isolation. It is just one, albeit critical, part of the complex integration challenge facing providers of converged solutions today.

In the past, voice networks were generally robust and built on long established and evolved standards. Equally the process of PBX configuration had become almost routine and voice transmission plans, interface and integration processes well rehearsed.

Customers would typically specify the exact configuration and functionality of a PBX before purchase. The pre-configured switch would then be shipped to site and connected to the installed network circuits. The whole system would then be ready to switch on.

In the new converged age, the process is still more complicated. Today, almost every element of the solution from LAN to WAN and from call server to desktop, has a high degree of proprietary customisation embedded within.

The solutions provider will generally have to first build the voice servers and then install Quality of Service across both the WAN and the LAN before overlaying the architecture with a protective security platform.

Consequently, end users of VoIP systems increasingly require engineers and technical consultants with in-depth multi-disciplinary and multi-vendor skills and experience coupled with a detailed awareness of the voice and data security requirements of IP networks.

Such expertise is needed not just to advise on choice of solution and to carry out the necessary systems integration and implementation but also to provide the necessary advice and consultancy to customers on the most appropriate in-house security policies and procedures.

Unfortunately, people with these skills are in short supply. If this situation is to change, the industry needs to deal with the skills gap that continues to exist today. Ultimately, if the voice security battle is to be won, the most critical element will be the expertise and understanding of those implementing the systems and networks.

Use of this site is governed by our Terms of Use and Privacy Policy.
Copyright 1996- Ziff Davis, LLC. All Rights Reserved.
Reproduction in whole or in part in any form or medium without express written permission
of Ziff Davis, LLC. is prohibited.PCMag Digital GroupAdChoice